dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3897

NICK ADSL UK
MVM
join:2004-02-22
united kingd

NICK ADSL UK

MVM

[WIN8] Windows 8 with Secure Boot enabled may no longer boot aft

Symptoms

Consider the following scenario:

•You have a certified Windows 8 or Windows RT UEFI-based computer and Secure Boot has been enabled in the computer's BIOS.
•You make changes to the computer's hardware. Examples would include adding a new graphics, networking or storage controller adapter.

In this scenario, Windows may no longer boot after the changes are made. You may encounter behaviors such as hanging at a black screen, Windows crashing with a blue screen, or BIOS error messages to change your settings.

Cause

This behavior may occur when Secure Boot has been enabled in your computer's BIOS. Secure Boot protects the integrity of the operating system and prevents unauthorized firmware, operating systems or UEFI drivers from interfering with the boot process.
Back to the top | Give Feedback

Resolution

To work around this issue, Secure Boot must first be disabled before installing new hardware. For more information on disabling Secure Boot in your computer's BIOS, reference the manual that came with your motherboard or contact your motherboard manufacturer. If you are in an enterprise environment, contact your system administrator.

»support.microsoft.com/kb ··· id=16799
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

1 recommendation

BlitzenZeus

Premium Member

Re: [WIN8] Windows 8 with Secure Boot enabled may no longer boot

Leaving secure boot enabled also prevents you from booting new os media, and rescue media. I've turned it off, and left if off. Win 8's use of hibernate might also block the use of uefi boot options even with secure boot disabled, combine the two, and you have to pull the hdd to even attempt to being the recovery process on the hardware. For the average consumer this will just be a headache for those trying to fix a non-booting system.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to NICK ADSL UK

Premium Member

to NICK ADSL UK
Sounds like Secure Boot has... very limited usefulness. Even in an environment where you'd want to prevent someone booting off external media, it'd be really annoying to forget about and probably not worth the trouble.

Kramer
Mod
join:2000-08-03
Richmond, VA

Kramer to NICK ADSL UK

Mod

to NICK ADSL UK
What is unclear is how to get out of the mess that Secure Boot has created. Will simply turning off Secure Boot in the BIOS allow one to then use the computer that was malfunctioning? All I read from your passage is that in order to prevent this from happening one should turn off secure boot in the BIOS *before* making these changes. What happens when the inevitable happens and you need to use the computer again? Let's say that works... can you then turn back on Secure Boot?

Having run into a good number of rootkit infections that mess around with the booting process I thought Secure Boot was a great idea. If however the feature turns an infected computer into one more difficult to repair, they have accomplished nothing. They need to work out a recovery process for this technology or it is just something that is going to cause more trouble then salvation. Now it looks like they are just going to be disabling a great number of otherwise healthy computers.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

Yes you can turn it back on. Just hope the owner didn't set bios password, and forget it. There's been multiple ways to clear a bios password before, otherwise they have a nice brick.

Kramer
Mod
join:2000-08-03
Richmond, VA

Kramer

Mod

I'm not sure I understand why, when a change is made that would hopefully notify someone something very nasty has potentially happened to your computer, you are greeted with "hanging at a black screen, Windows crashing with a blue screen, or BIOS error messages to change your settings."

Couldn't they just pop up a message that says something like: "System changes have occurred which have disabled your computer. If you have installed new hardware or a BIOS update, please turn off Secure Boot in your BIOS, save your changes and reboot your computer. Otherwise please run an offline security scan using a tool such as Windows Defender Offline to be sure your computer has not become infected with malware?

I could be totally wrong, but it appears as if MS hasn't finished implementing the technology in a way that is useful and that it might be overly aggressive. Malware infections that could be potentially detected using Secure Boot are quite rampant these days. I'd love to know if a hidden partition has been installed on my hard drive and that the system is booting from it. I really don't want to be bothered with a warning when a new video card driver has been installed and I certainly don't want to have to remember to prepare my computer for such a minor task. It is a shame they didn't do a better job, because it is a decent idea.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

I'm not sure why they have all those occurrences, those sound like more of side effects from hibernate aka fast startup where the system isn't tolerant to hardware changes unless it was properly shutdown first. I haven't had to fix one of these problems personally yet.

The bios should either let it boot, or prevent it from booting, those seem to be the only logical options. I believe the interpretation of secure boot is up to the hardware manufacturer, and to have problems like those means the uefi allowed it to boot.

I can see things like this needed for security, but their implementation doesn't seem quite well thought out.

It's just easier to leave it disabled, and you merely just have to kinds of booting options in the bios uefi and legacy now.

Kramer
Mod
join:2000-08-03
Richmond, VA

Kramer

Mod

said by BlitzenZeus:

The bios should either let it boot, or prevent it from booting, those seem to be the only logical options. I believe the interpretation of secure boot is up to the hardware manufacturer, and to have problems like those means the uefi allowed it to boot.

I can see things like this needed for security, but their implementation doesn't seem quite well thought out.

It's just easier to leave it disabled, and you merely just have to kinds of booting options in the bios uefi and legacy now.

Why not give the computer user the option to boot normally with a warning? I obviously don't fully understand the technology. Why even involve the BIOS unless you are guarding against changes to it? How often does that happen?
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by Kramer:

\Why not give the computer user the option to boot normally with a warning? I obviously don't fully understand the technology. Why even involve the BIOS unless you are guarding against changes to it? How often does that happen?

As I remember the old PC's had this option in BIOS - to warn user if boot sector was somehow modified. That worked well. Not sure why it should be replaced with "Secure boot" now, creating a lot of troubles for users...

chachazz
Premium Member
join:2003-12-14

chachazz to Kramer

Premium Member

to Kramer
Nice, simple explanation (Webopedia)...
quote:
Microsoft Secure Boot is a component of Microsoft's Windows 8 operating system that relies on the UEFI specification’s secure boot functionality to help prevent malicious software applications and "unauthorized" operating systems from loading during the system start-up process.

While there is some concern that Microsoft Secure Boot will make it difficult to install Linux or other operating systems on a Windows 8 computer, the secure boot functionality in Windows 8 is primarily designed to protect users from rootkits and other low-level malware attacks by blocking unauthorized (non-signed) executables and drivers from being loaded during the boot process.

Personal computers bearing the Windows 8-certified logo will be required to ship with Microsoft Secure Boot enabled.
Kerodo
join:2004-05-08

Kerodo to NICK ADSL UK

Member

to NICK ADSL UK
"unauthorized operating systems"... LOL...